Doesn't have to be webmail integration. Theoretically the source could be
any site that has articles with a LinkedIn share button (or comments
system) and a "Click here to log in to the forums with your email address
and password" button.
Since 90+% of people will have the same (easy) passwords for multiple
services, and the LinkedIn script would be able to slurp up the form
submissions on the site, that's the ballgame.
I sort of doubt this is happening though - I would think it would be a
pretty big scandal if something like that were to come out.
On Sun, Sep 22, 2013 at 7:31 PM, William Roush
<william.roush at roushtech.net>wrote:
> >The easiest way I know of is to convince the owner of a domain to load
> a script you control.
>> Yeah that is pretty much the easiest way, is there a LinkedIn integration
> out there that webmail clients are using? Ick...
>>> > How many pages do you visit that have those Facebook like / Tweet /
> Google +1 buttons on them?
>> We also have miles of logs of people accessing said sites via their
> client-side APIs because of it, so they stick out like a sore thumb. My
> biggest gripe is that even with the Engineer from LinkedIn there is just
> hand-waving and paranoia. I'm used to the network security guys dumping
> proof online when accusations like this are made in that realm.
>> It seems 99% of "it must be happening" is the paranoia that their
> relationships with people are more interconnected than they think they are,
> and that computer algorithms can figure them out.
>> William Roush
>> On 9/22/2013 3:50 PM, James Nylen wrote:
>> The easiest way I know of is to convince the owner of a domain to load a
> script you control. Once you do that, technically all bets are off and you
> can capture any interaction with that domain.
>> How many pages do you visit that have those Facebook like / Tweet /
> Google +1 buttons on them? Yeah... I think those scripts are worth
> blocking.
>>> On Sat, Sep 21, 2013 at 2:30 PM, William Roush <
>william.roush at roushtech.net> wrote:
>>> I'll bite, how DO you gain control of a window you didn't spawn in
>> javascript on a modern browser?
>>>> I could see it being done with other technologies (ex: java applets?) or
>> other exploits (XSS/CSRF), but I'd figure those would seem to be a lot
>> easier to detect and we'd have evidence before this even came out.
>>>> William Roush
>>>>>> On 9/21/2013 2:03 PM, Mike Harrison wrote:
>>>>> I'd like to know what they mean by that... cross-window, cross-domain
>>>> exploits? Aren't those nearly impossible on any modern browser?
>>>>>>>>>> Not impossible, but I'm waiting for a better explaination of what really
>>> happened. LinkedIn and other social media sites are often confusing to some
>>> people, and they click [yes] and enter passwords without thought.
>>>>>> It might be as simple as morons that use the same password for email as
>>> things like LinkedIn, Facebook..
>>> _______________________________________________
>>> Chugalug mailing list
>>>Chugalug at chugalug.org>>>http://chugalug.org/cgi-bin/mailman/listinfo/chugalug>>>>>>> _______________________________________________
>> Chugalug mailing list
>>Chugalug at chugalug.org>>http://chugalug.org/cgi-bin/mailman/listinfo/chugalug>>>>>> _______________________________________________
> Chugalug mailing listChugalug at chugalug.orghttp://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>> _______________________________________________
> Chugalug mailing list
>Chugalug at chugalug.org>http://chugalug.org/cgi-bin/mailman/listinfo/chugalug>>-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130924/fe5d4f4e/attachment-0001.html>